Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

Honestly if the DB is changing and it's not too big (1-3 tables, <100000 rows), I would just use the lookup table function in DB Connect instead of trying to index everything. In that case it would query the DB based on the update settings you have in there (every few minutes to once a day depending on your needs).

You're able to load the lookup in as the initial search data with the command | inputlookup at the beginning of the query. I haven't used SCCM in a long time, but your use case should be fine, it may be better if you have a lot of tables to try and nail down the inputs.